ASA 5510 - Allow traffic from dmz to LAN

    Feb 29, 2012
    I want enable trafic from a dmz server to a lan host for LDAP connection.

    I tried with this:
    static (inside,dmz) netmask
    access-list DMZtoInside extended permit udp host host eq 389
    access-group DMZtoInside in interface dmz

    When I apply access-group I can connect to lan from dmz host but from dmz host I loose internet connection.

    Where is the problem?

    this is my config:

    ASA Version 8.2(3)
    name RETE-LOCALE
    name RETE-DMZ
    name INT-OUTSIDE
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address INT-OUTSIDE
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address
    interface Ethernet0/2
    nameif dmz
    security-level 10
    ip address
    same-security-traffic permit intra-interface
    access-list acl_in extended permit tcp any host INT-OUTSIDE eq www
    access-list No.Nat extended permit ip RETE-DMZ #used for VPN
    access-list acl_dmz extended deny tcp any any eq smtp log inactive
    access-list acl_dmz extended permit ip any any
    access-list acl_internet extended permit ip RETE-LOCALE RETE-DMZ
    access-list acl_internet extended permit tcp RETE-LOCALE host
    access-list MAILSERVER extended permit ip RETE-LOCALE host
    global (outside) 2 interface
    global (dmz) 1 interface
    nat (inside) 0 access-list No.Nat
    nat (inside) 2 access-list MAILSERVER
    nat (inside) 1 RETE-LOCALE
    nat (dmz) 0 access-list No.Nat
    nat (dmz) 2 RETE-DMZ
    static (dmz,outside) tcp interface www www netmask
    access-group acl_in in interface outside
    access-group acl_internet in interface inside
    route outside 1
    http RETE-LOCALE inside
    http inside


